PDF(274 KB)
Boosting performance in attack intention recognition by integrating multiple techniques
Hao BAI, Kunsheng WANG, Changzhen HU, Gang ZHANG, Xiaochuan JING
PDF(274 KB)
PDF(274 KB)
Boosting performance in attack intention recognition by integrating multiple techniques
Recognizing attack intention is crucial for security analysis. In recent years, a number of methods for attack intention recognition have been proposed. However, most of these techniques mainly focus on the alerts of an intrusion detection system and use algorithms of low efficiency that mine frequent attack patterns without reconstructing attack paths. In this paper, a novel and effective method is proposed, which integrates several techniques to identify attack intentions. Using this method, a Bayesian-based attack scenario is constructed, where frequent attack patterns are identified using an efficient data-mining algorithm based on frequent patterns. Subsequently, attack paths are rebuilt by re-correlating frequent attack patterns mined in the scenario. The experimental results demonstrate the capability of our method in rebuilding attack paths, recognizing attack intentions as well as in saving system resources. Specifically, to the best of our knowledge, the proposed method is the first to correlate complementary intrusion evidence with frequent pattern mining techniques based on the FP-Growth algorithm to rebuild attack paths and to recognize attack intentions.
attack path / attack intention / compensatory intrusion evidence / FP-Growth
| [1] |
YiP, XingH, WuY, CaiJ. Alert correlation through results tracing back to reasons. In: Proceedings of the 2009 International Conference on Communications and Mobile Computing. Kunming, 2009, 465–469
|
| [2] |
NingP, XuD, HealeyC, AmantR. Building attack scenarios through integration of complementary alert correlation methods. In: Proceedings of the 11th Annual Network and Distributed System Security Symposium. 2004, 97–111
|
| [3] |
SoleimaniM, GhorbaniA. Critical episode mining in intrusion detection alerts. In: Proceedings of the 6th Communication Networks and Services Research Conference, Halifax, 2008, 157–164
CrossRef
Google scholar
|
| [4] |
WangL, LiZ, LiD, LeiJ. Attack scenario construction with a new sequential mining technique. In: 8th ACIS International Conference on Software Engineering, Artificial Intelligence, Networking, and Parallel/Distributed Computing. 2007, 53–87
|
| [5] |
AgrawalR, SrikantR. Fast Algorithms for Mining Association Rules. IBM Alamnden Research Center. 1994
|
| [6] |
HanJ, PeiJ, YinY, MaoR. Mining frequent patterns without candidate generation: A frequent-pattern tree approach. Data Mining and Knowledge Discovery, 2004, 8(1): 53–87
CrossRef
Google scholar
|
| [7] |
PeiJ, HanJ, WangW. Constraint-based sequential pattern mining: the pattern-growth methods. Journal of Intelligent Information Systems, 2007, 28(2): 133–160
CrossRef
Google scholar
|
| [8] |
CuppensF, MiegeA. Alert correlation in a cooperative intrusion detection framework. In: Proceedings of the 2002 IEEE Symposium on Security and Privacy. 2002, 202–215
CrossRef
Google scholar
|
| [9] |
XiaoS, ZhangY, LiuX, GaoJ. Alert fusion based on cluster and correlation analysis. In: Proceedings of International Conference on Convergence and Hybrid Information Technology 2008. Gyeongbuk S. Korea, 2008, 163–168
|
| [10] |
YusofR, SelamatS R, SahibS. Intrusion alert correlation technique analysis for heterogeneous log. IJCSNS International Journal of Computer Science and Network Security, 2008, 8(9), 132–138
|
| [11] |
LongW, XinY, YangY. Vulnerabilities analyzing model for alert correlation in distributed environment. In: Proceedings of the 2009 IITA International Conference on Services Science, Management and Engineering. Zhangjiajie, 2009, 408–411
|
| [12] |
LiuZ, WangC, ChenS. Correlating multi-step attack and constructing attack scenarios based on attack pattern modeling. In: Proceedings of the International Conference on Information Security and Assurance. Busan, 2008, 214–219
|
| [13] |
XuM, WuT, TangJ. An IDS alert fusion approach based on happened before relation. In: Proceedings of 4th International Conference on Wireless Communications, Networking and Mobile Computing. Dalian, 2008, 1–4
CrossRef
Google scholar
|
| [14] |
YiP, XingH, WuY, LiL. Alert correlation by a retrospective method. In: Proceedings of the 23rd international conference on Information Networking. Chiang Mai, 2009, 380–382
|
| [15] |
LiZ, LeiJ, WangL, LiD. A Data mining approach to generating network attack graph for intrusion prediction. In: Proceedings of 4th International Conference on Fuzzy Systems and Knowledge Discovery. Haikou, 2007, 307–311
|
| [16] |
LiZ, ZhangA, LeiJ, WangL. Real-time correlation of network security alerts. In: Proceedings of IEEE International Conference on e-Business Engineering. 2007, 73–80
|
| [17] |
LiW, TianS. Preprocessor of intrusion alerts correlation based on ontology. In: Proceedings of 2009 International Conference on Communications and Mobile Computing. Kunming, 2009, 460–464
CrossRef
Google scholar
|
| [18] |
QinX, LeeW. Attack plan recognition and prediction using causal networks. In: Proceedings of the 20th Annual Computer Security Applications Conference. 2004, 370–379
|
| [19] |
QinX, LeeW. Statistical causality analysis of INFOSEC alert data. In: Proceedings of the 6th International Symposium on Recent Advances in Intrusion Detection. 2003, 73–93
CrossRef
Google scholar
|
| [20] |
OuX, GovindavajhalaS, AppelA. MulVAL: A logic-based network security analyzer. In: 14th USENIX Security Symposium. Society for Industrial and Applied Mathematics. 2005, 8–8
|
| [21] |
OuX. Logic-programming approach to network security analysis. PhD thesis. Department of Computer Science. Princeton University. 2005
|
| [22] |
MeiH, GongJ. Intrusion alert correlation based on D-S evidence theory. In: Proceedings of 2nd International Conference on IEEE Communications and Networking in China. Shanghai, 2007, 377–381
|
| [23] |
HofmannA, DedinskiI, SickB, deMeerH. A novelty-driven approach to intrusion alert correlation based on distributed hash tables. In: Proceedings of 12th IEEE Symposium on Computer and Communications. Averio Portugal, 2007, 71–78
|
| [24] |
PeiJ, HanJ, LuH, NishioS, TangS, YangD. H-mine: hyper-structure mining of frequent patterns in large database. In: Proceedings of 1st IEEE International Conference on Data Mining. 2001, 441–448
|
| [25] |
ZhaiY, NingP, IyerP, ReevesD. Reasoning about complementary intrusion evidence. In: Proceedings of the 20th annual Computer Security Applications Conference. 2004, 39–48
|
/
| 〈 |
|
〉 |
AI Summary
